Background:
We have several packet decoders that receive traffic from Gigamon. That system has aggregators and taps that feed into it and provide us the raw packet traffic. Our IDS sensors receive the same feeds.
Problem:
We have reports, fairly consistently (several per week) that an IDS sensor will fire but when SA is used to try to identify the session related to that event, we're unable to find it.
Anyone in the RSA Link universe have tips for tackling this problem? Management wants 100% certainty that our packet decoders have all the traffic that IDS has, but if our feeds are the same the only problem I can see is with SA, but I've investigated the following for each incident.
Checked decoder performance stats (assembler pages, dropped packets, capture rate, pool pages)
Decoder system stats (CPU, memory, disk I/O, network bandwidth)
Reviewed local logs (app and system) for any irregularities
Checked app rules
Checked parsers
Checked taps are correct
Checked Gigamon feeds are correct
I just have run out of ideas. No clue how to increase the reliability of our decoder processing.
Thanks
Just a few questions for things to think about:
Is anything special about these IDS alerts that you are not getting the packets for?
Does the IDS system see exactly the same packets as the netwitness packet decoders?
Can you generate some sort of heart beat packets and check that you receive these all the time in both the IDS system and the Netwitness Packet Decoder?